alltasksIT Managed Services

Essential Eight Maturity Model

Essential security for your business

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations mitigate cyber security incidents caused by various cyber threats. The most effective of these mitigation strategies are known as the Essential Eight.

Maturity Levels

To assist organisations in determining the maturity of their implementation of the Essential Eight, three maturity levels have been defined for each mitigation strategy. The maturity levels are defined as:
Maturity Level One: Partly aligned with the intent of the mitigation strategy
Maturity Level Two: Mostly aligned with the intent of the mitigation strategy
Maturity Level Three: Fully aligned with the intent of the mitigation strategy.
What our recent Webinar video to learn more about the Essential 8 Model and the different maturity levels.

Watch our webinar

What maturity level to aim for

As a baseline organisations should aim to reach Maturity Level Three for each mitigation strategy. However, some organisations are constantly targeted by highly skilled adversaries, or otherwise operate in a higher risk environment. Where the ACSC believes an organisation requires a maturity level above that of Maturity Level Three, the ACSC will provide tailored advice to meet the specific needs of the organisation.


What the Essential Eight Maturity Model looks like across different aspects of your business

Level 1
An application whitelisting solution is implemented on all workstations to restrict the execution of executables to an approved set.

An application whitelisting solution is implemented on all servers to restrict the execution of executables to an approved set. An application whitelisting solution is implemented on all workstations to restrict the execution of executables to an approved set.

Level 2
An application whitelisting solution is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set. An application whitelisting solution is implemented on all workstations to restrict the execution of executables to an approved set.

An application whitelisting solution is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set. An application whitelisting solution is implemented on all workstations to restrict the execution of executables to an approved set.

Level 3
An application whitelisting solution is implemented on all workstations to restrict the execution of executables, software libraries, scripts and installers to an approved set. An application whitelisting solution is implemented on all workstations to restrict the execution of executables to an approved set.

An application whitelisting solution is implemented on all servers to restrict the execution of executables, software libraries, scripts and installers to an approved set. Microsoft’s latest recommended block rules are implemented to prevent application whitelisting bypasses. An application whitelisting solution is implemented on all workstations to restrict the execution of executables to an approved set.

Level 1
Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within one month of the security vulnerabilities being identified by vendors, independent third parties, system managers or users. An application whitelisting solution is implemented on all workstations to restrict the execution of executables to an approved set.

Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions.

Level 2
Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within two weeks of the security vulnerabilities being identified by vendors, independent third parties, system managers or users. An application whitelisting solution is implemented on all workstations to restrict the execution of executables to an approved set.

Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions.

Level 3
Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users. An application whitelisting solution is implemented on all workstations to restrict the execution of executables to an approved set.

An automated mechanism is used to confirm and record that deployed application and driver patches or updates have been installed, applied successfully and remain in place. An application whitelisting solution is implemented on all workstations to restrict the execution of executables to an approved set.

Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions.

Level 1
Microsoft Office macros are allowed to execute, but only after prompting users for approval.

Microsoft Office macro security settings cannot be changed by users.

Level 2
Only signed Microsoft Office macros are allowed to execute.

Microsoft Office macros in documents originating from the Internet are blocked.

Microsoft Office macro security settings cannot be changed by users.

Level 3
Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros.

Microsoft Office macros in documents originating from the Internet are blocked.

Microsoft Office macro security settings cannot be changed by users.

Level 1
Web browsers are configured to block or disable support for Flash content.

Level 2
Web browsers are configured to block or disable support for Flash content.

Web browsers are configured to block web advertisements.

Web browsers are configured to block Java from the Internet.

Level 3
Web browsers are configured to block or disable support for Flash content.

Web browsers are configured to block web advertisements.

Web browsers are configured to block Java from the Internet.

Microsoft Office is configured to disable support for Flash content.

Microsoft Office is configured to prevent activation of Object Linking and Embedding packages.

Level 1
Privileged access to systems, applications and information is validated when first requested.

Policy security controls are used to prevent privileged users from reading emails, browsing the Web and obtaining files via online services.

Level 2
Privileged access to systems, applications and information is validated when first requested and revalidated on an annual or more frequent basis.

Policy security controls are used to prevent privileged users from reading emails, browsing the Web and obtaining files via online services.

Level 3
Privileged access to systems, applications and information is validated when first requested and revalidated on an annual or more frequent basis.

Privileged access to systems, applications and information is limited to that required for personnel to undertake their duties.

Technical security controls are used to prevent privileged users from reading emails, browsing the Web and obtaining files via online services.

Level 1
Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within one month of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.

Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions.

Level 2
Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within two weeks of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.

Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions.

Level 3
Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.

An automated mechanism is used to confirm and record that deployed operating system and firmware patches or updates have been installed, applied successfully and remain in place.

Operating systems for workstations, servers and ICT equipment that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions.

Level 1
Multi-factor authentication is used to authenticate all users of remote access solutions. Multi-factor authentication uses at least two of the following authentication factors: passwords with six or more characters, Universal 2nd Factor security keys, physical one-time password tokens, biometrics, smartcards, mobile app one-time password tokens, SMS messages, emails, voice calls or software certificates.

Level 2
Multi-factor authentication is used to authenticate all users of remote access solutions. Multi-factor authentication is used to authenticate all privileged users and any other positions of trust. Multi-factor authentication uses at least two of the following authentication factors: passwords with six or more characters, Universal 2nd Factor security keys, physical one-time password tokens, biometrics, smartcards or mobile app one-time password tokens.

Level 3
Multi-factor authentication is used to authenticate all users of remote access solutions. Multi-factor authentication is used to authenticate all privileged users and any other positions of trust. Multi-factor authentication is used to authenticate all users when accessing important data repositories. Multi-factor authentication uses at least two of the following authentication factors: passwords with six or more characters, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards.

Level 1
Backups of important information, software and configuration settings are performed monthly. Backups are stored for between one to three months. Partial restoration of backups is tested on an annual or more frequent basis.

Level 2
Backups of important information, software and configuration settings are performed weekly. Backups are stored offline, or online but in a non-rewritable and non-erasable manner. Backups are stored for between one to three months. Full restoration of backups is tested at least once. Partial restoration of backups is tested on a bi-annual or more frequent basis.

Level 3
Backups of important information, software and configuration settings are performed at least daily. Backups are stored offline, or online but in a non-rewritable and non-erasable manner. Backups are stored for three months or greater. Full restoration of backups is tested at least once when initially implemented and each time fundamental information technology infrastructure changes occur. Partial restoration of backups is tested on a quarterly or more frequent basis.

Learning how cyber threats can affect your business

A cyber security incident that impacts a small business can be devastating. This guide (by the ACSC) has been developed to help small businesses protect themselves from the most common cyber security incidents. The Australian Cyber Security Centre see the impact of cyber security incidents each and every day, on individuals, large companies, and small businesses.

This Australian Small Business Cyber Security Guide has been specifically designed for small businesses to understand, take action, and increase their cyber security resilience against ever-evolving cyber security threats. The language is clear, the actions are simple, and the guidance is tailored for small businesses.

What
A backup is a digital copy of your business’ most important information. This can be to an external, disconnected hard drive e.g. USB or to the Cloud.

An automatic backup is a default or ‘set and forget’ system that backs up your data automatically, without human intervention.

Why
Quicker and easier to get your business back up and running if information is lost, stolen or destroyed

Protects credibility of your business and help meets legal obligations

Peace of mind that you’re always protected so you can focus your business efforts that deliver value

When
Choose a backup system that’s right for your business Test you’re able to restore your backup regularly

Store a physical backup somewhere safe offsite

How?
For businesses your IT support company should be managing this process

What
Unauthorised software designed to cause harm

Malware is a blanket term for malicious software including viruses, spyware, trojans and worms.

Why?
Disrupt. Damage. Deceive. Typically, for profit.

Malware gains access to important information such as bank or credit card numbers and passwords. It can also take control or spy on a user’s computer. What criminals choose to do with this access and data includes: Theft, Pranks, Activism, Espionage, Other serious crimes.

Who?
Anyone, anywhere. Malware creators can be anywhere in the world. They just need a computer, technical skills and malicious intent.

Criminals can easily access cheap tools to use malware against you. It is not personal – they are not targeting you specifically – it is just business

Malware protection
Operating System Updates
3rd Party Patching
Backups
MFA

What?
‘Dodgy’ emails designed to trick recipients out of money and data Pronounced ‘fishing’, they are emails from individuals or companies you ‘think’ you know. They mimic phrasing, branding and logos to appear ‘real’, before conning users to click on a link or attachment. Here, they defraud users by asking them to provide or confirm their personal information, such as passwords and credit card numbers, or to pay a fake account. They can also send an attachment, designed to look genuine, with malware inside.

Who?
People with money – it is a numbers game Phishing emails are typically sent to thousands of people. Even if only a small percentage of recipients fall for the scam, they can collect significant data and sums of money.

  • Phishing (low sophistication, many targets) Usually general emails with obvious warning signs, sent to thousands of targets
  • Spear Phishing (high sophistication, less targets) Fraudulent and sophisticated messages sent to a specific individual, usually the business owner, receptionist or finance and payroll manager
  • Whaling (high sophistication, less and high value targets) Spear phishing aimed at very big fish like CEOs


Where?
Emails, SMS, Instant Messaging, Social Media Phishing scams are not limited to emails. They are increasingly sophisticated and harder to spot.

Criminals can easily access cheap tools to use malware against you. It is not personal – they are not targeting you specifically – it is just business

Be cautious of:
  • Requests for money, especially if urgent or overdue
  • Bank account changes
  • Attachments
  • Requests to check or confirm login details
Recommendations for your business:
  • Cyber Awareness Training
  • Update your procedures relating to how you handle supplier and employee bank account changes
  • Review procedures around on-boarding new suppliers and their bank-accounts


What?
Software updates

An update is a new, improved or safer version of a software (program, app or operating system like Microsoft Windows or Apple iOS) your business has installed on its computers or mobile devices.

An automatic update is a default or ‘set and forget’ system that updates your software as soon as one is available.

Why?
Safer. Faster. Better.

  • Better online security
  • Improved protection (in real-time, directly by the experts) from loss of money, data and identity
  • Enhanced features and efficiencies for programs and apps.


When?
Today & everyday

  • Turn on or confirm auto-updates, especially for operating systems
  • Regularly check for and install updates ASAP if auto-updates are unavailable, especially for software
  • Install updates as soon as possible (if auto-updates unavailable)
  • Set a convenient time for auto-updates to avoid disruptions to business as usual
  • If you use Anti-Virus software, ensure automatic updates are turned on
  • If you are a business out-source the management of these critical updates.


What?
A security measure that requires two or more proofs of identity to grant you access. Multi-factor authentication (MFA) typically requires a combination of something the user knows (pin, secret question), physically possesses (card, token) or inherently possesses (finger print, retina).

Why?
Significantly more powerful security

The multiple layers make it much harder for criminals to attack your business. Criminals might manage to steal one proof of identity e.g. PIN, but they still need to obtain and use the other proofs of identity. Two-factor authentication (2FA) is the most common type of MFA.

When?
Accessing important internal and external accounts

Small businesses should implement MFA wherever possible. Some MFA options include, but are not limited to:
  • Physical token
  • Random pin
  • Biometrics/ fingerprint
  • Authenticator app (alltasksIT Recommendation)
  • Email and SMS


What?
Certain malware that locks down your computer and files until a ransom is paid Ransomware attacks are typically carried out via a malicious but legitimate looking email link or attachment. When downloaded or opened, most ransomware encrypts a user’s files, then demands a ransom to restore access – typically payable using cryptocurrency, like Bitcoin.

Why?
Money. Ransom, an age-old and effective crime, is now being committed online. Ransomware offers cyber criminals a low-risk, high-reward income. It is easy to develop and distribute. Also in cyber criminals’ favour, most small businesses are unprepared to deal with ransomware attacks.

Who?
Small, medium and large businesses

Many small businesses are often less security conscious, are less likely to implement cyber security measures, and spend less on cyber security measures.

Prevent Ransomware
  • Update operating systems
  • Update sotware
  • Backup your important data
  • Cyber Awarenesss Training
  • MFA


People and Procedures

Businesses, no matter how small, need to be aware of and consciously apply cyber security measures at every level.

Given small businesses often lack the resources for dedicated IT staff, this section addresses how you can manage who can access, and who can control your business’ information, and the training of your staff.

Your internal processes and your workforce are the last, and one of the most important lines of defence in protecting your business from cyber security threats.

What?
A process to regulate who can access what within your business’ computing environment Access control is a way to limit access to a computing system. It allows business owners to:
  • Decide who they would like to give access privileges to
  • Determine which roles require what access
  • Enforce staff access control limits.


Why?
To minimise risk of unauthorised access to important information

Many small businesses employ internal staff or outsource work to external suppliers e.g. website hosting companies.

Access control systems help you protect your business by allowing you to limit staff and supplier access to your computer: - Networks - Files - Applications - Sensitive data.

Who?
Principle of least privilege

Depending on the nature of your business, the principle of least privilege is the safest approach for most small businesses. It gives users the bare minimum permissions they need to perform their work. This also reduces the risk of an ‘insider’ accidentally or maliciously endangering your business.

Next steps
  • Restrict Administrator Privelages
  • Do not share passphrases
  • Remeber to revoke accounts


What?
Using a phrase or sentence, not one word, as your password. A passphrase is similar to a password. It is used to verify access to a computer system, program or service. Passphrases are most effective when they are: Used with multi-factor authentication
  • Unique – not a famous phrase or lyric, and not re-used
  • Longer – phrases are generally longer than words
  • Complex – naturally occurring in a sentence with uppercase, symbols and punctuation
  • Easy to remember – saves you being locked out.


Why?
  • Greater security & more convenience - harder to crack against common password attacks
  • Easier to remember than random characters
  • Meets password requirements easily – upper and lower-case lettering,symbols and punctuation


Where?
Principle of least privilege

Depending on the nature of your business, the principle of least privilege is the safest approach for most small businesses. It gives users the bare minimum permissions they need to perform their work. This also reduces the risk of an ‘insider’ accidentally or maliciously endangering your business.

Next steps
For all fixed and mobile devices. Passphrases will significantly increase security across all of your business’ devices. See below for a comparison of password vs passphrase security.

What?
Education to protect your staff and business against cyber threats

A cyber security incident response plan can help to change the habits and behaviours of staff and create a sense of shared accountability in keeping your small business safe. Your cyber security incident response plan teaches staff how to:
  • Recognise
  • Avoid
  • Report
  • Remove Recover


Why?
Employees can be the first and last line of defence against cyber threats

Employees make mistakes. As business owners, you have a legal responsibility to keep your business and customer information safe. That’s why having a cyber security training program is vital.

When?
Regular cyber security awareness and training

Cyber security is continuously evolving. Keeping everybody up to date could be the difference between whether or not a criminal accesses your money or data.

Next steps
  • Incorporate, update and regularly repeat
  • Create a cyber security incident response plan
  • Reward employees who find threats
  • Create a cyber security culture


Want to know a little more? Have a friendly alltasksIT staff member contact you.